What is Kerberos?
- IAM Glossary
- What is Kerberos?
Kerberos is a computer network authentication protocol that verifies the identities of users or hosts using a system of digital “tickets.” It uses secret-key cryptography and a trusted third party to verify user identities and authenticate client-server applications.
The Kerberos protocol was originally developed at the Massachusetts Institute of Technology (MIT) in 1988, so the university could securely authenticate network users and authorise them to access specific resources, such as storage and databases. At the time, computer networks authenticated users with user IDs and passwords – which were transmitted unencrypted, in plain text. This enabled threat actors to intercept user credentials and use them to breach MIT’s network.
Kerberos enabled trusted hosts to communicate over untrusted networks – in particular, the internet – without transmitting or storing passwords in plain text. Additionally, Kerberos allowed users to access multiple systems with only one password, an early version of Single Sign-On (SSO) technology.
What is Kerberos used for?
Kerberos is one of the most widely used network authentication protocols today. It is frequently used to support SSO in large enterprise networks, is the default authentication method in Windows and it plays an integral role in Windows Active Directory (AD). Kerberos implementations are also available in Apple OS, FreeBSD, UNIX and Linux.
What is the purpose of a ticket when using Kerberos?
Tickets are at the heart of the Kerberos authentication protocol.
The name Kerberos comes from Greek mythology. Kerberos, also known as Cerberus, was a three-headed dog who guarded the gates to the world of the dead. The name refers to the three “heads” of the Kerberos protocol: the client, the server and the Kerberos Key Distribution Center (KDC) which issues Kerberos “tickets.”
A Kerberos “ticket” is a digital certificate, issued by an authentication server and encrypted using the server key, that enables hosts to prove their identity to each other in a secure manner. This is known as mutual authentication.
The requesting and granting of Kerberos tickets happens transparently to the end user. When a client receives a Kerberos authentication ticket, it returns the ticket to the server, along with additional information to verify the client's identity. The server then issues a Kerberos service ticket and a session key, which completes the authorisation process for that session. All Kerberos tickets are time-stamped, time-limited and session-specific, which minimises the risk that a threat actor can use a compromised ticket to access the system.
How does the Kerberos protocol work?
Here’s a very simplified description of the Kerberos protocol in action:
- The Kerberos client authentication process begins when a client requests an Authentication Ticket, or Ticket Granting Ticket (TGT), from the KDC authentication server. Because this initial request contains no sensitive information, it’s sent in plain text.
- The KDC looks for the client in its database. If the KDC finds the client, it sends back an encrypted TGT and session key. Otherwise, the process stops and the client is denied access.
- Once authenticated, the client uses the TGT to request a service ticket from the Ticket Granting Service (TGS).
- If the TGS can authenticate the client, it sends the client the credentials and ticket to access the requested service. This ticket is stored on the end user’s device.
- The client uses their ticket to request access to the application server. Once the application server authenticates the request, the client can access the server.
What are the benefits of the Kerberos protocol?
Kerberos is a mature, robust authentication protocol that is integrated into all popular operating systems and supports modern distributed computing environments. It’s especially suited for SSO deployments, where it provides the back-end technology to ensure that end users have a smooth experience while supporting Role-Based Access Control (RBAC) and least-privilege access to digital resources.
Can Kerberos be hacked?
Because Kerberos is a widely used, decades-old technology, threat actors have found ways to compromise it. Common Kerberos cyber attacks include:
- Pass-the-ticket attacks, where threat actors intercept and reuse tickets sent to or from an authenticated user.
- Golden ticket attacks, also known as DC shadow attacks, where threat actors obtain the access they need to set up their own Windows domain controller. This enables them to create phony privileged credentials that grant them unlimited access to network resources.
- Credential stuffing attacks, where threat actors attempt to compromise user passwords. These attacks generally target KDC authentication servers or ticket-granting services.
However, while no technology is 100% unhackable, Kerberos is quite secure if it’s configured and maintained properly. To keep your Kerberos deployment secure, be sure to keep Kerberos updated and ensure that your end users are all using strong, unique passwords backed up with Multi-Factor Authentication (MFA).